How to Recover Files from Ransomware: A Guide for Australian SMBs

Immediate Containment: How to Stop the Spread

Discovering a ransom note on your computer screen or finding your files replaced by strange extensions like .locked or .crypted is a high-stress moment for any business owner. However, the actions you take in the first five minutes can mean the difference between one compromised laptop and a total company-wide shutdown. In the cybersecurity world, this phase is known as "containment," and your goal is to prevent the ransomware from "phoning home" to its control server or hopping across your office network to encrypt shared drives.

Practical Steps for Staff: The First Five Minutes

If you suspect a breach, you must act decisively. Most ransomware is designed to move laterally, meaning it will scan your local network to find servers, other PCs, and cloud-synced folders. To stop this movement, follow these immediate steps:

1. Do not restart the computer: While your first instinct might be to "turn it off and on again," restarting can sometimes trigger the ransomware to finish its encryption process or delete temporary files that an IT expert might use for recovery.
2. Disconnect from the internet: If you are on a laptop, look for the Wi-Fi icon in the bottom-right corner of your taskbar and turn it off immediately. If your device has a physical "Airplane Mode" button or a Wi-Fi toggle, use it.
3. Unplug the Ethernet cable: If your computer is connected to a wall socket via a cable (usually a blue, white, or yellow cord), physically pull it out. This is the most reliable way to ensure the device is "air-gapped" from the rest of the office.
4. Remove all peripherals: Unplug USB sticks, external hard drives, and even your smartphone if it is charging via USB. Ransomware can easily jump to any storage device currently plugged into your machine.

Isolating the Infection at the Source

If you notice that multiple computers in your office are showing symptoms simultaneously, you are likely facing a coordinated network attack. In this scenario, isolating individual machines may not be enough. You should consider the "nuclear option": physically disconnecting the entire office from the internet at the source. This typically involves going to your NBN box or router and pulling the power cord or the WAN cable. While this stops work for everyone, it is a critical step recommended by the Australian Cyber Security Centre (ACSC) to prevent data from being exfiltrated to offshore servers.

Ransomware often targets networked drives (the S: or P: drives many Australian SMBs use for sharing files). By cutting the network connection, you effectively "quarantine" the virus, keeping it trapped on the initial device. This gives our team at OnIT Solutions a better chance of recovering your data through our cybersecurity recovery protocols without the risk of re-infection during the cleanup process.

Once the system is physically isolated and the threat of spread is mitigated, you can take a breath. The immediate "fire" is contained, but the recovery process is just beginning, starting with a careful assessment of what exactly has been hit.

Documenting Symptoms and Reporting the Attack

Once you have isolated the affected devices, your next priority is to act as a digital "first responder." While it is tempting to start clicking around to see what is left, it is vital to treat the infected machine like a crime scene. Documenting the specific symptoms of the attack is not just a bureaucratic task; it provides the forensic trail that our team at OnIT Solutions needs to identify the specific strain of malware and determine if a decryption tool already exists.

Recording Critical Details for Forensics

Before you perform any further actions, grab your smartphone or a physical notebook. You need to capture exactly what the ransomware is telling you and how it is behaving. This information helps cybersecurity experts understand the "signature" of the attack. Do not copy files onto a USB drive to show someone, as this could spread the infection; instead, use your phone to take clear photos of the screen.

Be sure to record the following details immediately:

• The Ransom Note: Take a photo of the full text of any pop-up windows or text files (often named things like READ_ME.txt or DECRYPT_HELP.html) that have appeared on your desktop.
• File Extensions: Look at your documents folder. Have your files been renamed? Note down the new extensions, such as .locky, .caesars, or .wncry.
• System Symptoms: Is the computer running extremely slowly? Are certain programs refusing to open, or is the entire Windows interface blocked by a single un-closable window?
• Timestamps: Note the exact time you first noticed the issue and the last time you know for sure the system was working correctly.

Identifying the Type: Locker vs. Encrypting Ransomware

Not all ransomware is created equal, and identifying which type you are facing will dictate your recovery options. Generally, ransomware falls into two categories. Locker ransomware is the less severe version; it effectively locks you out of your computer's user interface, often displaying a fake "police" warning or a full-screen ransom demand. The good news is that your actual files are usually still intact underneath the lock. These can often be cleaned using specialized antivirus tools without losing data.

Encrypting ransomware (also known as Filecoders) is significantly more dangerous. This malware goes through your hard drive and "scrambles" the data within your files, making them unreadable without a mathematical key. In this scenario, even if we remove the virus, your files remain encrypted. Knowing which one you have allows us to decide whether we can simply "unlock the door" or if we need to begin the more complex process of managed IT data restoration from your offsite backups.

Reporting to the Australian Cyber Security Centre (ACSC)

In Australia, reporting a cyberattack is a critical step for small-to-medium businesses. You should report the incident to the Australian Cyber Security Centre (ACSC) via the "ReportCyber" portal. Reporting helps the government track active campaigns targeting Australian businesses and can provide you with an official incident number, which is often required if you intend to make a claim on your business's cyber insurance policy.

When reporting, be as detailed as possible using the notes you took earlier. The ACSC uses this data to issue alerts to other SMBs, potentially preventing another local business from falling victim to the same group. Once you have a record of the symptoms and have notified the authorities, you have laid the groundwork for the actual cleanup and removal process.

With the evidence gathered and the authorities informed, the focus shifts to identifying the specific "trigger" that allowed the malware into your system in the first place.

Identifying and Removing the Infection Trigger

After isolating your devices, the next critical phase is sanitisation. Think of this as cleaning a wound before applying a bandage; if you restore your data while the "infection trigger" is still active on your computer, the ransomware will simply re-encrypt your files as soon as they appear. These trigger files are the malicious scripts or programs that initiate the attack, often hiding in obscure corners of your operating system to evade detection.

Locating the Source of Infection

Trigger files are designed to stay hidden. They typically reside in directories that the average user rarely visits, such as the Temp folders or the AppData library within your user profile. While our team at OnIT Solutions uses advanced forensic tools to find these, you can help by identifying any suspicious programs that appeared shortly before the attack began. For many Australian SMBs, these triggers are often disguised as legitimate-looking invoices (e.g., Invoice_AUS_2023.zip) or "Urgent" shipping notifications that require you to "Enable Macros" or run an .exe file.

Locker vs. Encrypting Ransomware: Why Strategy Matters

The complexity of the removal process depends entirely on the strain of ransomware you are facing. As noted in common cybersecurity frameworks, there is a significant difference between "Locker" and "Encrypting" (or Filecoder) ransomware. Understanding this helps determine your next move:

• Locker Ransomware: This is generally less severe. It locks you out of your computer's user interface—often displaying a full-screen image of a government or police warning—but it often leaves your underlying files untouched. In these cases, a deep scan with professional-grade antivirus software can often remove the "lock" and return the system to normal.
• Encrypting Ransomware: This is the more severe "Filecoder" variety. While antivirus software can remove the malicious program that performed the encryption, the files themselves remain scrambled and unreadable. For these strains, simple removal is just the first step in a much longer recovery journey.

The Cleaning Process: Using Antivirus and Anti-Malware

To ensure your system is safe, you must run an exhaustive cleaning process across all devices that were connected to the network during the breach. Do not rely on a single "Quick Scan" as it might miss dormant scripts. Follow these steps to prepare your hardware for restoration:

1. Update Definitions on a Clean Machine: On a separate, known-clean computer, download the latest malware definition updates for your security software. If your office network is compromised, you may need to do this using a different internet connection.
2. Run a Full System Scan: Use a reputable antivirus or anti-malware package to perform a "Deep" or "Full" scan of the infected machine. This checks every single file, rather than just the most common hiding spots like the C:\Windows folder.
3. Check for Persistence: Ensure the software checks for "persistence mechanisms." These are tricks malware uses to restart itself or "phone home" every time you turn your computer back on.
4. Verify with a Second Opinion: After the first cleaning, it is a best practice to run a second scan using a different reputable tool. This helps catch any polymorphic code that might have bypassed the first scan's detection.

Once the triggers have been successfully removed and your antivirus reports a "clean" status, you have created a safe landing zone for your data. The malicious code is gone, and the system is ready for the technical task of bringing your business operations back to life through your backup archives.

Restoring Data Safely from Backups

If you have followed a robust backup strategy, this is where your investment finally pays off. Having clean, off-site, or immutable backups means you can avoid the ethical and financial nightmare of negotiating with cybercriminals. At OnIT Solutions, we always advise Australian businesses to prioritise restoration over ransom payments, as there is never a guarantee that attackers will actually provide a working decryption key. By choosing to restore, you maintain control over your data and refuse to fund the criminal ecosystem that targets SMBs.

Managing the "Dwell Time" Trap

One of the most dangerous aspects of a ransomware attack is "dwell time." This is the period between the initial infection and the moment the ransomware actually triggers and encrypts your files. Attackers often stay silent for weeks or months, ensuring their malicious code is included in your daily, weekly, and even monthly backup cycles. If you restore a backup from the day before the attack, you are likely restoring the dormant virus as well. To counter this, your recovery plan must involve looking back through your archival data to find a "known-good" state that predates the hacker's entry into your system.

Step-by-Step: A Safe Restoration Process

Restoring data for a business is a high-stakes task that requires a methodical approach. Do not rush to put everything back onto your live servers until you have verified that the environment is sterile. Follow these steps to ensure a safe recovery:

1. Identify the Breach Window: Work with your cybersecurity experts to review system logs and determine when the intruder first gained access. This tells you how far back you need to go in your backup history.
2. Provision an Isolated Environment: Create a "sandbox" or a completely fresh server environment that is not connected to your main network. This prevents any missed malware from jumping back onto your cleaned machines.
3. Restore in Stages: Start by restoring mission-critical databases and files first. Use your cloud solutions management console to select specific restore points rather than a "blanket" restoration of the entire drive.
4. Run Post-Restoration Scans: Before moving files from the sandbox to the production environment, run a deep anti-malware scan on the restored file system. Use Rootkit scanners and behavior-based detection tools to ensure no "trigger files" are hiding in AppData or System32 folders.
5. Validate File Integrity: Open a sample of critical files (like spreadsheets or PDFs) to ensure they are readable and haven't been corrupted or partially encrypted.

Once you are confident that the restored data is clean, you can begin the process of reconnecting your systems to the internet and allowing staff to resume their duties. However, the work doesn't stop once the files are back; you must now ensure that the vulnerabilities that allowed the attack in the first place are permanently sealed.

Essential Cyber Hygiene for Ransomware Prevention

While knowing how to react to a breach is vital, the ultimate goal for any Australian business is to ensure the attack never gains a foothold in the first place. Cyber hygiene is a set of daily practices and system configurations that significantly reduce your "attack surface"—the number of ways a hacker can enter your network. For small-to-medium businesses (SMBs), focusing on a few high-impact areas can provide a level of protection that discourages all but the most persistent attackers.

Enforcing MFA and the Principle of Least Privilege

The first line of defense is controlling who has access to your data and how they verify their identity. Multi-Factor Authentication (MFA) is no longer optional; it is a foundational requirement of a modern cybersecurity strategy. MFA adds a layer of security that requires two or more pieces of evidence to log in, such as a password and a code from an app on your phone. This ensures that even if a staff member’s password is stolen in a phishing attack, the criminal cannot access the account without that second physical token.

Alongside MFA, your business should adopt the "Principle of Least Privilege" (PoLP). This means that every employee, from the CEO to the newest intern, should only have access to the specific files and systems required to perform their job. If a receptionist’s account is compromised but they only have access to the front-desk calendar, the ransomware cannot easily "jump" to the sensitive payroll or client folders. To implement this, consider the following:

• Audit user roles: Review who has "Administrator" rights and downgrade any accounts that don't strictly need them for daily tasks.
• Departmental silos: Ensure that the Marketing team cannot access Finance folders, and vice versa, unless there is a specific business need.
• Revoke access immediately: Have a clear process for removing all system access the moment an employee leaves the company.

Automating Software Patches and Updates

Cybercriminals often exploit "vulnerabilities"—tiny bugs or holes in software code—to bypass security measures and install ransomware. Software developers constantly release "patches" to plug these holes. If your business delays these updates, you are essentially leaving your digital back door unlocked. This applies not just to Windows or macOS, but to every application you use, including web browsers, PDF readers, and even your office router.

For most Australian SMBs, the most effective way to manage this is through automation. Ensure that "Automatic Updates" are toggled on for all operating systems. If you use specialized industry software that requires manual updates, schedule a monthly "Maintenance Window" where an IT lead or a managed IT service provider checks that every device on the network is running the latest version. This simple habit aligns with the Australian Cyber Security Centre (ACSC) "Essential Eight" guidelines and is one of the most cost-effective ways to prevent a breach.

Implementing Immutable Backups

Modern ransomware is "backup-aware," meaning it will often search for your backup files and delete or encrypt them first to ensure you have no choice but to pay the ransom. To counter this, you need a dedicated backup service that offers "immutable" storage. Immutability means that once your data is backed up, it cannot be changed, overwritten, or deleted for a set period, even by someone with administrative credentials.

When choosing cloud backup solutions, look for providers that emphasize fast restoration capabilities (Recovery Time Objective). In a ransomware scenario, it isn't just about having the data; it’s about how quickly you can get your staff back to work. A high-quality backup system should allow you to "spin up" a virtual version of your server in the cloud within minutes while your local hardware is being cleaned.

By combining restricted access, up-to-date software, and unchangeable backups, you create a resilient environment that can withstand the majority of automated ransomware campaigns targeting Australian businesses. However, technology is only half the battle; the final piece of the puzzle involves preparing your team and your processes for the long term.

Building Long-Term Resilience and Response Plans

While recovering files is a significant victory, the ultimate goal for any Australian business is to ensure the same vulnerability is never exploited again. Resilience isn't just about having a backup; it is about building a layered defence that makes your business a difficult target for cybercriminals. In the wake of an attack, it is vital to move from a "reactive" mindset to a "proactive" one, ensuring your cybersecurity posture is strong enough to withstand future threats.

Beyond Antivirus: Modern Endpoint Protection

For many years, traditional antivirus software relied on "signature matching." This works like a digital library of known "bad" files; if a file matches a record in the library, the software blocks it. However, modern ransomware changes its code constantly to avoid these lists. This is why our team at OnIT Solutions recommends deploying endpoint protection tools that use behaviour-based detection.

Instead of just looking for known signatures, these advanced tools monitor how programs behave on your computers. If a program suddenly starts encrypting thousands of files in a few seconds or tries to disable your security settings, the system identifies this as suspicious behaviour and kills the process instantly. This approach is far more effective at stopping "Zero Day" attacks—threats that are so new that no signature exists for them yet.

Creating Your Australian Incident Response Playbook

Every Australian SMB should have a written Incident Response Plan (IRP). Think of this as your business’s emergency fire drill. When an attack happens, panic is your worst enemy; having a clear, step-by-step guide allows your team to act rationally and quickly. A solid plan tailored for Australian operations should include:

• Defined Roles: Who is responsible for calling the IT provider? Who handles communications with clients? Who notifies the Australian Cyber Security Centre (ACSC)?
• Communication Channels: How will your team talk if your email system is encrypted? Many businesses use encrypted messaging apps like Signal or WhatsApp as a backup.
• Legal and Regulatory Obligations: Under the Notifiable Data Breaches (NDB) scheme, your business may have a legal requirement to report the breach to the Office of the Australian Information Commissioner (OAIC).

Strengthening the "Human Firewall"

Technical tools are essential, but the majority of ransomware enters a network because an employee accidentally clicked a malicious link or opened a suspicious attachment. Educating your staff is often the most cost-effective way to prevent a breach. Effective training should go beyond a one-off presentation and become part of your office culture.

Teach your team to look for the "tells" of a phishing email: mismatched sender addresses, urgent or threatening language, and unusual requests for sensitive information. By empowering your employees to report suspicious activity immediately—without fear of getting in trouble—you create a "Human Firewall" that can stop an attack before it ever reaches your server. Investing in managed IT services can help automate this training through simulated phishing tests that help staff learn in a safe environment.

Taking these proactive steps transforms your business from a potential victim into a resilient enterprise that can maintain continuity even in the face of evolving cyber threats.

Sources

• https://www.cynet.com/ransomware/ransomware-removal-protection-and-prevention/
• https://www.rubrik.com/insights/how-to-recover-from-ransomware
• https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/ransomware-recovery/
• https://support.microsoft.com/en-us/office/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f
• https://www.veeam.com/blog/ransomware-recovery-what-you-need-to-know.html
• https://www.sentinelone.com/cybersecurity-101/cybersecurity/ransomware-data-recovery/